Policy | Security | Investigation

hacking investigation

July 14, 2009

How are data holders to comply with the swelling riot of data security laws? These laws include breach notification laws, which require that individuals and/or government be notified when the security of private data has been compromised. Perfect compliance is impossible.

Almost all the states have adopted breach notice laws – though they are not uniform – and legislatures are expanding the scope of the laws.

The original law from California (effective six years ago) focused on identity information – name plus social security number, driver’s license number or financial account number. Then the California legislature expanded its law to also include breaches of medical data. That expansion became effective January 1, 2009. Result? In the first five months of 2009, California authorities were notified of a whopping 823 healthcare data breaches, mostly through self-reporting by healthcare entities. That’s just one industry, in one state, in five months. And California authorities anticipate that the flow of notices will rise as people in the healthcare community become better aware of the new law.

A data breach can occur in myriad ways: a misdirected fax or e-mail, a hacking incident or snooping by an employee.

Meanwhile, we see floods of breach notices issued in other states and other industries – retail, nonprofit, colleges, financial, professional services, water districts, school districts, county government, municipal government, state government, federal government. No organization is immune. As these laws sit longer on the books, the flow of notices grows larger and larger.

Why are there so many notices? The reason is that the laws assume that 100% data privacy can reasonably be achieved. They further assume that any shortcoming (or suspected shortcoming) of data privacy should be an unusual event within well-managed enterprises. The assumptions are wrong. The expectations of the public, and especially the expectations of policy makers, are out of touch with the reality of modern data management. These outsized expectations contribute to a growing risk of monetary liability on the part of data holders.

So what are data holders to do? Obviously they need to invest in data security, training and investigation – and they have been. But banks, schools, utilities, clinics, hospitals, merchants and government agencies can throw massive investments at this problem and never meet present expectations.